There was a time where getting information about the content stored
in the DNS was easy: just fire
dig from any machine in the Internet and ask
your question. It has never been a perfect solution (because of
caching and because of different network
connectivity) but it worked most of the time: the DNS was supposed to
give the same data to anyone. Now, several recent changes make this
solution too limited. We need DNS Looking
Glasses.
What are these changes?
Answers can be different depending on the source IP address of the query, for instance to direct users to a
closer server.Cache poisoning may have the effect that
the users of some resolvers/caches will see a different set of data.DNSSEC can have an effect. Today, some
resolvers validate and some do not. If a DNS zone administrator makes
a mistake, validating resolvers will experience a problem but not the
users of non-validating resolvers.Lying resolvers can rewrite answers for
their users.Legal requirments on DNS censorship (both in dictatorships and
in democracies) may make some data unavailable (or modified) from some
places.
It means we need DNS Looking Glasses, points of
observation to look at the DNS data from a different viewpoint. Such
looking glasses are already very common to observe
BGP but not for the DNS. People typically use
open resolvers, DNS resolvers open for everyone, for that purpose (for instance,
scientific papers analyzing the DNS are often based on surveys with
open resolvers). But they
create various security problems and that's why the
recommends their closing.
Therefore, I present here three things:
A proposal for the format of requests and responses of these DNS
looking glasses.A free program
implementing this format.An actual service with this software that you can query.
The service is available using the REST
paradigm, at https://dns.bortzmeyer.org/$DOMAIN[/$TYPE] where DOMAIN is the domain
name and TYPE a DNS record type (such as AAAA or MX). For instance,
will get you
the AAAA record for the name example.com. There is no
Web form, you have to construct the
URL and send it with a
HTTP client (which can be a Web
browser or a program like curl; you
do not need a DNS client like dig or drill). Of
course, people are welcome to write such a form. The complete
documentation of this service is available
online (for instance, you can change the output format, it does
not have to be HTML).
Since the DNS looking glass uses a structured output format, it is
quit easy to develop a program which will query the existing looking
glasses instances and ask them a question. Such programs are available
in
the subdirectory usages/ of the distribution. For instance, the
program get-ip asks for the IP addresses of its
argument:
% ./get-ip www.ietf.org
http://dns-lg.tetaneutral.net/: [64.170.98.30 2001:1890:126c::1:1e]
http://dns.bortzmeyer.org/: [64.170.98.30 2001:1890:126c::1:1e]
http://dns-lg.dk-hostmaster.dk/: [64.170.98.30 2001:1890:126c::1:1e]
http://dnslg.generic-nic.net/: [64.170.98.30 2001:1890:126c::1:1e]
http://dns-lg.vs.uni-due.de/: [64.170.98.30 2001:1890:126c::1:1e]
Here, you see the same results from all the instances?. If you don't,
it does not always mean there is someone with nefarious aims in the
middle. Some services do send different DNS replies, depending where
you ask, in order for instance to balance the load geographically:
% ./get-ip pool.ntp.org
http://dns-lg.tetaneutral.net/: [193.52.136.2 213.251.172.92 88.190.219.242 91.121.92.90]
http://dns-lg.dk-hostmaster.dk/: [217.198.219.102 80.196.238.30 94.126.0.23 80.71.132.103]
http://dns.bortzmeyer.org/: [199.7.177.206 204.235.61.9 64.16.214.60 72.8.140.240]
http://dns-lg.vs.uni-due.de/: [176.9.47.150 188.174.232.178 89.238.66.126 89.238.75.57]
http://dnslg.generic-nic.net/: [193.52.136.2 213.251.172.92 88.190.219.242 188.165.211.5]
The program is freely available (under a free software license) at the FramaGit hosting
service. You can install it on your own machines (it requires
Python and a few non-standard packages, as well
as a WSGI-able server such as
Apache or Nginx). This
way, we will have many looking glasses around the planet (remember they
will not all see the same thing, which is the reason we need several).
By the way, FramaGit (a GitLab) provides an
issue tracker and the recommended way to report
bugs, send patches or give advices is to use this tracker. (It
requires a FramaGit account but it is easier for me to rely
on an existing, and nice, tool.) Do not forget to read the existing issues to be sure yours is not a duplicate.
The proposal for the request and response format is in the sources
of the above program (specially the "Format-specific things" section
of the README). It may be implemented by other programs, free or
not. Do note that, at this time (june 2012), it is not yet stable and
certainly not "standard" in any way. The output
XML format follows partially the format of Internet-Drafts
draft-mohan-dns-query-xml for the outer elements (plus some
extensions) and of draft-daley-dns-schema for the resource data. (Other output formats are available, see the documentation.)
Here are some existing DNS looking glasses: most are Web-only, with
no API to automatize them or to provide an
alternative interface, and no structured output:
, structured output, source code available,, structured output, written in Java, (REST URLs and a
structured output, in JSON) (also reachable with the
DNS protocol; managed in China) Example: (this one has REST URLs) (this one has REST URLs) (requires knowing the raw syntax of dig) (only A records)